Last Comment Bug 724356 - Crash @ gfxMixedFontFamily::ReplaceFontEntry
: Crash @ gfxMixedFontFamily::ReplaceFontEntry
Status: RESOLVED FIXED
: crash, regression
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: 13 Branch
: All Windows 7
: -- critical (vote)
: mozilla13
Assigned To: Jonathan Kew (:jfkthame)
:
:
Mentors:
Depends on:
Blocks: 721315
  Show dependency treegraph
 
Reported: 2012-02-05 03:00 PST by Scoobidiver (away)
Modified: 2012-02-06 00:51 PST (History)
3 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch, check the proxy's family pointer is still valid before using it (1011 bytes, patch)
2012-02-05 04:00 PST, Jonathan Kew (:jfkthame)
jd.bugzilla: review+
Details | Diff | Splinter Review

Description Scoobidiver (away) 2012-02-05 03:00:19 PST
It's a new crash signature that first appeared in 13.0a1/20120204.
The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e777c939a3f9&tochange=766a59650976
It's likely a regression from bug 721315.

Signature 	gfxMixedFontFamily::ReplaceFontEntry(gfxFontEntry*, gfxFontEntry*) More Reports Search
UUID	1d72c5fe-d632-4b79-b473-ba8082120205
Date Processed	2012-02-05 01:09:40
Uptime	67
Last Crash	1.1 minutes before submission
Install Age	9.7 hours since version was first installed.
Install Time	2012-02-04 15:25:00
Product	Firefox
Version	13.0a1
Build ID	20120204031137
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x14
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x2e32, AdapterSubsysID: 02f51028, AdapterDriverVersion: 8.15.10.2302
D2D? D2D+
DWrite? DWrite+
D3D10 Layers? D3D10 Layers+
EMCheckCompatibility	True

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	gfxMixedFontFamily::ReplaceFontEntry 	obj-firefox/dist/include/gfxUserFontSet.h:117
1 	xul.dll 	nsUserFontSet::ReplaceFontEntry 	layout/style/nsFontFaceLoader.cpp:711
2 	xul.dll 	gfxUserFontSet::OnLoadComplete 	gfx/thebes/gfxUserFontSet.cpp:563
3 	mozglue.dll 	je_free 	memory/jemalloc/jemalloc.c:6580
4 	mozglue.dll 	je_free 	memory/jemalloc/jemalloc.c:6580
5 	mozglue.dll 	je_free 	memory/jemalloc/jemalloc.c:6580
6 	xul.dll 	nsTArray_base<nsTArrayDefaultAllocator>::ShiftData 	obj-firefox/dist/include/nsTArray-inl.h:266
7 	mozglue.dll 	je_free 	memory/jemalloc/jemalloc.c:6580
8 	xul.dll 	nsTArray_base<nsTArrayDefaultAllocator>::ShiftData 	obj-firefox/dist/include/nsTArray-inl.h:266
9 	xul.dll 	nsHttpChannel::QueryInterface 	netwerk/protocol/http/nsHttpChannel.cpp:3630
10 	xul.dll 	nsCOMPtr_base::assign_from_qi 	obj-firefox/xpcom/build/nsCOMPtr.cpp:96
11 	xul.dll 	nsFontFaceLoader::OnStreamComplete 	layout/style/nsFontFaceLoader.cpp:245
12 	xul.dll 	nsStreamLoader::OnDataAvailable 	netwerk/base/src/nsStreamLoader.cpp:182
13 	xul.dll 	nsStreamLoader::OnStopRequest 	netwerk/base/src/nsStreamLoader.cpp:127
14 	xul.dll 	nsCORSListenerProxy::OnStopRequest 	content/base/src/nsCrossSiteListenerProxy.cpp:646
15 	xul.dll 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/nsHttpChannel.cpp:4355
16 	xul.dll 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:583
17 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:405
18 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:114
19 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:657
20 	xul.dll 	nsTArray<nsTimerImpl*,nsTArrayDefaultAllocator>::IndexOf<nsTimerImpl*,nsDefaultComparator<nsTimerImpl*,nsTimerImpl*> > 	obj-firefox/dist/include/nsTArray.h:652
21 	nspr4.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c:347
22 	xul.dll 	TimerThread::RemoveTimer 	xpcom/threads/TimerThread.cpp:435
23 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
24 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
25 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:175
26 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
27 	xul.dll 	nsAppShell::Run 	widget/windows/nsAppShell.cpp:258
28 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:220
29 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3537
30 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107

More reports at:
https://crash-stats.mozilla.com/report/list?signature=gfxMixedFontFamily%3A%3AReplaceFontEntry%28gfxFontEntry*%2C%20gfxFontEntry*%29
Comment 1 Jonathan Kew (:jfkthame) 2012-02-05 04:00:10 PST
Created attachment 594530 [details] [diff] [review]
patch, check the proxy's family pointer is still valid before using it

This crash signature is triggered by bug 721315, I think, but it's really just highlighting a pre-existing problem that could have led to unpredictable behavior due to using a potentially-invalid family record.
Comment 2 John Daggett (:jtd) 2012-02-05 04:56:52 PST
Jonathan, how do we hit this codepath with mFamily == nsnull?
Comment 3 Jonathan Kew (:jfkthame) 2012-02-05 06:20:56 PST
I suspect we could hit this if the user font set has been deleted (e.g. due to navigating away from the page) immediately before the font loader completes, so the font set deletes the family (which now, since bug 721315, causes it to invalidate the mFamily pointers in its faces).
Comment 4 Jonathan Kew (:jfkthame) 2012-02-05 12:22:05 PST
Pushed to inbound:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7c4257358d6a
Comment 5 Marco Bonardo [::mak] 2012-02-06 00:51:07 PST
https://hg.mozilla.org/mozilla-central/rev/7c4257358d6a

Note You need to log in before you can comment on or make changes to this bug.